1 /* 2 * Copyright (C) 1996-2021 The Squid Software Foundation and contributors 3 * 4 * Squid software is distributed under GPLv2+ license and includes 5 * contributions from numerous individuals and organizations. 6 * Please see the COPYING and CONTRIBUTORS files for details. 7 */ 8 9 #ifndef SQUID_ANYP_TRAFFIC_MODE_H 10 #define SQUID_ANYP_TRAFFIC_MODE_H 11 12 namespace AnyP 13 { 14 15 /** 16 * Set of 'mode' flags defining types of trafic which can be received. 17 * 18 * Use to determine the processing steps which need to be applied 19 * to this traffic under any special circumstances which may apply. 20 */ 21 class TrafficMode 22 { 23 public: 24 /** marks HTTP accelerator (reverse/surrogate proxy) traffic 25 * 26 * Indicating the following are required: 27 * - URL translation from relative to absolute form 28 * - restriction to origin peer relay recommended 29 */ 30 bool accelSurrogate = false; 31 32 /** marks ports receiving PROXY protocol traffic 33 * 34 * Indicating the following are required: 35 * - PROXY protocol magic header 36 * - src/dst IP retrieved from magic PROXY header 37 * - indirect client IP trust verification is mandatory 38 * - TLS is not supported 39 */ 40 bool proxySurrogate = false; 41 42 /** marks NAT intercepted traffic 43 * 44 * Indicating the following are required: 45 * - NAT lookups 46 * - URL translation from relative to absolute form 47 * - Same-Origin verification is mandatory 48 * - destination pinning is recommended 49 * - authentication prohibited 50 */ 51 bool natIntercept = false; 52 53 /** marks TPROXY intercepted traffic 54 * 55 * Indicating the following are required: 56 * - src/dst IP inversion must be performed 57 * - client IP should be spoofed if possible 58 * - URL translation from relative to absolute form 59 * - Same-Origin verification is mandatory 60 * - destination pinning is recommended 61 * - authentication prohibited 62 */ 63 bool tproxyIntercept = false; 64 65 /** marks intercept and decryption of CONNECT (tunnel) SSL traffic 66 * 67 * Indicating the following are required: 68 * - decryption of CONNECT request 69 * - URL translation from relative to absolute form 70 * - authentication prohibited on unwrapped requests (only on the CONNECT tunnel) 71 * - encrypted outbound server connections 72 * - peer relay prohibited. TODO: re-encrypt and re-wrap with CONNECT 73 */ 74 bool tunnelSslBumping = false; 75 76 /** true if the traffic is in any way intercepted 77 * 78 */ isIntercepted()79 bool isIntercepted() { return natIntercept||tproxyIntercept ;} 80 }; 81 82 } // namespace AnyP 83 84 #endif 85 86